Securing OpenStack API service endpoints using CA Signed Certificates

CA Certificate(certificate authority)
CA-Signed Certificates are Valid SSL Certificates, the main difference between self-signed certificates and Trusted CA Certificates is the browsers will throw an error for self-signed certificate (Insecure Warning and the certificate is not valid SSL, not issued by trusted CA) .

In previous posts was published about the Configuring Self-signed certificates for OpenStack Service API endpoints (Keystone, Glance, Nova, Neutron, Horizon, Cinder and Heat), this post will guide to configure valid SSL for OpenStack Service API endpoints

CA trusted Certificate for OpenStack

The CA certificate contains three files (CRT file,keyfile and bundle file).

client.crt,client.key and bundle.crt are the Certificate files. These three files should be merged and that merged file should be used as a Certificate file and the .key file should be used as key file for configuring valid SSL for OpenStack endpoints.

Configuring Valid SSL for Keystone, Glance, Nova, Neutron, Cinder and Heat

There is no major Difference between configuring self-signed and valid SSL for OpenStack endpoints. For Self-signed Certificates insecure = true is placed under the particular sections in .conf files, for skip the verification of the Self-signed certificate(for configuring Self-signed certificate refer previous posts in this blog). Instead of using insecure = true, insecure = false should be used for configuring Valid SSL to OpenStack endpoints.

For Horizon,
Add OPENSTACK_SSL_NO_VERIFY = false line in /etc/openstack-dashboard/

above mentioned two steps are, the difference between, valid SSL configuration for OpenStack service endpoints and self-signed configuration for OpenStack service endpoints. other steps will the same for both typeof certificates